diff --git a/.github/workflows/arrow.yml b/.github/workflows/arrow.yml
index 64f5918..753e985 100644
--- a/.github/workflows/arrow.yml
+++ b/.github/workflows/arrow.yml
@@ -3,7 +3,7 @@ name: Arrow
run-name: Arrow - ${{ inputs.rebuild && 'Rebuild and ' || '' }}${{ inputs.action == 'create' && 'Create' || ( inputs.action == 'destroy' && 'Destroy' || 'No Action' ) }}
env:
- TERRAFORM_DIRECTORY: hosts/arrow
+ TERRAFORM_DIRECTORY: hosts/arrow/vultr
DEPLOY_IDENTITY_BASE64: ${{ secrets.DEPLOY_IDENTITY_BASE64 }}
ARROW_IDENTITY_BASE64: ${{ secrets.ARROW_IDENTITY_BASE64 }}
CLOUDFLARE_R2_ENDPOINT: "${{ secrets.CLOUDFLARE_ACCOUNT_ID }}.r2.cloudflarestorage.com"
diff --git a/flake.nix b/flake.nix
index f78a3c9..3b69d5c 100644
--- a/flake.nix
+++ b/flake.nix
@@ -22,8 +22,7 @@
# Used for user packages and dotfiles
home-manager = {
url = "github:nix-community/home-manager/master";
- inputs.nixpkgs.follows =
- "nixpkgs"; # Use system packages list for their inputs
+ inputs.nixpkgs.follows = "nixpkgs"; # Use system packages list for their inputs
};
# Community packages; used for Firefox extensions
@@ -179,78 +178,75 @@
# Alternatively, could consider using https://github.com/fufexan/nix-gaming
proton-ge = {
# https://github.com/GloriousEggroll/proton-ge-custom/releases
- url =
- "https://github.com/GloriousEggroll/proton-ge-custom/releases/download/GE-Proton9-2/GE-Proton9-2.tar.gz";
+ url = "https://github.com/GloriousEggroll/proton-ge-custom/releases/download/GE-Proton9-2/GE-Proton9-2.tar.gz";
flake = false;
};
# Firefox addon from outside the extension store
bypass-paywalls-clean = {
# https://gitlab.com/magnolia1234/bpc-uploads/-/commits/master/?ref_type=HEADS
- url =
- "git+https://git.masu.rs/noah/bpc-uploads"; # temporary, shouldn't rely on myself
+ url = "git+https://git.masu.rs/noah/bpc-uploads"; # temporary, shouldn't rely on myself
flake = false;
};
# Nextcloud Apps
nextcloud-news = {
# https://github.com/nextcloud/news/releases
- url =
- "https://github.com/nextcloud/news/releases/download/25.0.0-alpha3/news.tar.gz";
+ url = "https://github.com/nextcloud/news/releases/download/25.0.0-alpha3/news.tar.gz";
flake = false;
};
nextcloud-external = {
# https://github.com/nextcloud-releases/external/releases
- url =
- "https://github.com/nextcloud-releases/external/releases/download/v5.3.1/external-v5.3.1.tar.gz";
+ url = "https://github.com/nextcloud-releases/external/releases/download/v5.3.1/external-v5.3.1.tar.gz";
flake = false;
};
nextcloud-cookbook = {
# https://github.com/christianlupus-nextcloud/cookbook-releases/releases/
- url =
- "https://github.com/christianlupus-nextcloud/cookbook-releases/releases/download/v0.11.0/cookbook-0.11.0.tar.gz";
+ url = "https://github.com/christianlupus-nextcloud/cookbook-releases/releases/download/v0.11.0/cookbook-0.11.0.tar.gz";
flake = false;
};
nextcloud-snappymail = {
# https://github.com/the-djmaze/snappymail/releases
- url =
- "https://snappymail.eu/repository/nextcloud/snappymail-2.32.0-nextcloud.tar.gz";
+ url = "https://snappymail.eu/repository/nextcloud/snappymail-2.32.0-nextcloud.tar.gz";
flake = false;
};
-
};
- outputs = { nixpkgs, ... }@inputs:
+ outputs =
+ { nixpkgs, ... }@inputs:
let
# Global configuration for my systems
- globals = let baseName = "masu.rs";
- in rec {
- user = "noah";
- fullName = "Noah Masur";
- gitName = fullName;
- gitEmail = "7386960+nmasur@users.noreply.github.com";
- mail.server = "noahmasur.com";
- mail.imapHost = "imap.purelymail.com";
- mail.smtpHost = "smtp.purelymail.com";
- dotfilesRepo = "https://github.com/nmasur/dotfiles";
- hostnames = {
- git = "git.${baseName}";
- influxdb = "influxdb.${baseName}";
- irc = "irc.${baseName}";
- metrics = "metrics.${baseName}";
- minecraft = "minecraft.${baseName}";
- prometheus = "prom.${baseName}";
- paperless = "paper.${baseName}";
- secrets = "vault.${baseName}";
- stream = "stream.${baseName}";
- content = "cloud.${baseName}";
- books = "books.${baseName}";
- download = "download.${baseName}";
- transmission = "transmission.${baseName}";
+ globals =
+ let
+ baseName = "masu.rs";
+ in
+ rec {
+ user = "noah";
+ fullName = "Noah Masur";
+ gitName = fullName;
+ gitEmail = "7386960+nmasur@users.noreply.github.com";
+ mail.server = "noahmasur.com";
+ mail.imapHost = "imap.purelymail.com";
+ mail.smtpHost = "smtp.purelymail.com";
+ dotfilesRepo = "https://github.com/nmasur/dotfiles";
+ hostnames = {
+ git = "git.${baseName}";
+ influxdb = "influxdb.${baseName}";
+ irc = "irc.${baseName}";
+ metrics = "metrics.${baseName}";
+ minecraft = "minecraft.${baseName}";
+ prometheus = "prom.${baseName}";
+ paperless = "paper.${baseName}";
+ secrets = "vault.${baseName}";
+ stream = "stream.${baseName}";
+ content = "cloud.${baseName}";
+ books = "books.${baseName}";
+ download = "download.${baseName}";
+ transmission = "transmission.${baseName}";
+ };
};
- };
# Common overlays to always use
overlays = [
@@ -271,13 +267,17 @@
];
# System types to support.
- supportedSystems =
- [ "x86_64-linux" "x86_64-darwin" "aarch64-linux" "aarch64-darwin" ];
+ supportedSystems = [
+ "x86_64-linux"
+ "x86_64-darwin"
+ "aarch64-linux"
+ "aarch64-darwin"
+ ];
# Helper function to generate an attrset '{ x86_64-linux = f "x86_64-linux"; ... }'.
forAllSystems = nixpkgs.lib.genAttrs supportedSystems;
-
- in rec {
+ in
+ rec {
# Contains my full system builds, including home-manager
# nixos-rebuild switch --flake .#tempest
@@ -292,65 +292,86 @@
# Contains my full Mac system builds, including home-manager
# darwin-rebuild switch --flake .#lookingglass
darwinConfigurations = {
- lookingglass =
- import ./hosts/lookingglass { inherit inputs globals overlays; };
+ lookingglass = import ./hosts/lookingglass { inherit inputs globals overlays; };
};
# For quickly applying home-manager settings with:
# home-manager switch --flake .#tempest
homeConfigurations = {
- tempest =
- nixosConfigurations.tempest.config.home-manager.users.${globals.user}.home;
- lookingglass =
- darwinConfigurations.lookingglass.config.home-manager.users."Noah.Masur".home;
+ tempest = nixosConfigurations.tempest.config.home-manager.users.${globals.user}.home;
+ lookingglass = darwinConfigurations.lookingglass.config.home-manager.users."Noah.Masur".home;
};
# Disk formatting, only used once
- diskoConfigurations = { root = import ./disks/root.nix; };
-
- packages = let
- arrow = system:
- import ./hosts/arrow { inherit inputs globals overlays system; };
- aws = system:
- import ./hosts/aws { inherit inputs globals overlays system; };
- staff = system:
- import ./hosts/staff { inherit inputs globals overlays system; };
- neovim = system:
- let pkgs = import nixpkgs { inherit system overlays; };
- in import ./modules/common/neovim/package {
- inherit pkgs;
- colors = (import ./colorscheme/gruvbox-dark).dark;
- };
- in {
- x86_64-linux.arrow = arrow "x86_64-linux";
- x86_64-linux.aws = aws "x86_64-linux";
- x86_64-linux.staff = staff "x86_64-linux";
- x86_64-linux.image = {
- arrow = inputs.nixos-generators.nixosGenerate {
- system = "x86_64-linux";
- format = "iso";
- modules = import ./hosts/arrow/modules.nix {
- inherit inputs globals overlays;
- };
- };
- };
-
- # Package Neovim config into standalone package
- x86_64-linux.neovim = neovim "x86_64-linux";
- x86_64-darwin.neovim = neovim "x86_64-darwin";
- aarch64-linux.neovim = neovim "aarch64-linux";
- aarch64-darwin.neovim = neovim "aarch64-darwin";
+ diskoConfigurations = {
+ root = import ./disks/root.nix;
};
+ packages =
+ let
+ arrow =
+ system:
+ import ./hosts/arrow {
+ inherit
+ inputs
+ globals
+ overlays
+ system
+ ;
+ };
+ staff =
+ system:
+ import ./hosts/staff {
+ inherit
+ inputs
+ globals
+ overlays
+ system
+ ;
+ };
+ neovim =
+ system:
+ let
+ pkgs = import nixpkgs { inherit system overlays; };
+ in
+ import ./modules/common/neovim/package {
+ inherit pkgs;
+ colors = (import ./colorscheme/gruvbox-dark).dark;
+ };
+ in
+ {
+ x86_64-linux.staff = staff "x86_64-linux";
+ x86_64-linux.image = {
+ arrow = inputs.nixos-generators.nixosGenerate {
+ system = "x86_64-linux";
+ format = "iso";
+ modules = import ./hosts/arrow/modules.nix { inherit inputs globals overlays; };
+ };
+ };
+
+ # Package Neovim config into standalone package
+ x86_64-linux.neovim = neovim "x86_64-linux";
+ x86_64-darwin.neovim = neovim "x86_64-darwin";
+ aarch64-linux.neovim = neovim "aarch64-linux";
+ aarch64-darwin.neovim = neovim "aarch64-darwin";
+ };
+
# Programs that can be run by calling this flake
- apps = forAllSystems (system:
- let pkgs = import nixpkgs { inherit system overlays; };
- in import ./apps { inherit pkgs; });
+ apps = forAllSystems (
+ system:
+ let
+ pkgs = import nixpkgs { inherit system overlays; };
+ in
+ import ./apps { inherit pkgs; }
+ );
# Development environments
- devShells = forAllSystems (system:
- let pkgs = import nixpkgs { inherit system overlays; };
- in {
+ devShells = forAllSystems (
+ system:
+ let
+ pkgs = import nixpkgs { inherit system overlays; };
+ in
+ {
# Used to run commands and edit files in this repo
default = pkgs.mkShell {
@@ -419,6 +440,5 @@
description = "Rust template";
};
};
-
};
}
diff --git a/hosts/aws/main.tf b/hosts/arrow/aws/main.tf
similarity index 98%
rename from hosts/aws/main.tf
rename to hosts/arrow/aws/main.tf
index b9abd5c..4fbb2ca 100644
--- a/hosts/aws/main.tf
+++ b/hosts/arrow/aws/main.tf
@@ -26,7 +26,7 @@ data "aws_iam_policy_document" "vmimport" {
actions = [
"s3:GetBucketLocation",
"s3:GetObject",
- "s3:ListBucket",
+ "s3:ListBucket",
]
resources = [
"arn:aws:s3:::${aws_s3_object.image.bucket}",
diff --git a/hosts/arrow/default.nix b/hosts/arrow/default.nix
index ae46a51..90f5922 100644
--- a/hosts/arrow/default.nix
+++ b/hosts/arrow/default.nix
@@ -1,3 +1,6 @@
+# The Arrow
+# System configuration for temporary VM
+
{
inputs,
globals,
diff --git a/hosts/arrow/main.tf b/hosts/arrow/vultr/main.tf
similarity index 100%
rename from hosts/arrow/main.tf
rename to hosts/arrow/vultr/main.tf
diff --git a/hosts/aws/default.nix b/hosts/aws/default.nix
deleted file mode 100644
index 44ff674..0000000
--- a/hosts/aws/default.nix
+++ /dev/null
@@ -1,41 +0,0 @@
-{
- inputs,
- system,
- globals,
- overlays,
- ...
-}:
-
-inputs.nixos-generators.nixosGenerate {
- inherit system;
- format = "amazon";
- modules =
- [
- globals
- inputs.home-manager.nixosModules.home-manager
- {
- nixpkgs.overlays = overlays;
- networking.hostName = "sheep";
- gui.enable = false;
- theme.colors = (import ../../colorscheme/gruvbox).dark;
- passwordHash = null;
- publicKeys = [
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+AbmjGEwITk5CK9y7+Rg27Fokgj9QEjgc9wST6MA3s personal"
- ];
- # AWS settings require this
- permitRootLogin = "prohibit-password";
- }
- ../../modules/common
- ../../modules/nixos
- ../../modules/nixos/services/sshd.nix
- ]
- ++ [
- # Required to fix diskSize errors during build
- (
- { ... }:
- {
- amazonImage.sizeMB = 16 * 1024;
- }
- )
- ];
-}
diff --git a/hosts/aws/workflow.yml b/hosts/aws/workflow.yml
deleted file mode 100644
index b8e38d1..0000000
--- a/hosts/aws/workflow.yml
+++ /dev/null
@@ -1,280 +0,0 @@
-name: 'Terraform'
-env:
-
- AWS_ACCOUNT_NUMBER: ''
- AWS_PLAN_ROLE_NAME: github_actions_plan
- AWS_APPLY_ROLE_NAME: github_actions_admin
-
- # Always required. Used for authenticating to AWS, but can also act as your
- # default region if you don't want to specify in the provider configuration.
- AWS_REGION: us-east-1
-
- # You must change these to fit your project.
- TF_VAR_project: change-me
- TF_VAR_label: change-me
- TF_VAR_owner: Your Name Here
-
- # If storing Terraform in a subdirectory, specify it here.
- TERRAFORM_DIRECTORY: .
-
- # Pinned versions of tools to use.
- # Check for new releases:
- # - https://github.com/hashicorp/terraform/releases
- # - https://github.com/fugue/regula/releases
- # - https://github.com/terraform-linters/tflint/releases
- TERRAFORM_VERSION: 1.2.6
- REGULA_VERSION: 2.9.0
- TFLINT_VERSION: 0.39.1
-
- # Terraform configuration options
- TERRAFORM_PARALLELISM: 10
-
- # These variables are passed to Terraform based on GitHub information.
- TF_VAR_repo: ${{ github.repository }}
-
-# This workflow is triggered in the following ways.
-on:
-
- # Any push or merge to these branches.
- push:
- branches:
- - dev
- - prod
-
- # Any pull request targeting these branches (plan only).
- pull_request:
- branches:
- - dev
- - prod
-
-
- # Any manual trigger on these branches.
- workflow_dispatch:
- branches:
- - dev
- - prod
-
-# -------------------------------------------------------------------
-# The rest of this workflow can operate without adjustments. Edit the
-# below content at your own risk!
-# -------------------------------------------------------------------
-
-# Used to connect to AWS IAM
-permissions:
- id-token: write
- contents: read
- pull-requests: write
-
-# Only run one workflow at a time for each Terraform state. This prevents
-# lockfile conflicts, especially during PR vs push.
-concurrency: terraform-${{ github.base_ref || github.ref }}
-
-jobs:
- terraform:
-
- name: 'Terraform'
-
- # Change this if you need to run your deployment on-prem.
- runs-on: ubuntu-latest
-
- steps:
-
- # Downloads the current repo code to the runner.
- - name: Checkout Repo Code
- uses: actions/checkout@v3
-
- # Enable access to KVM, required to build an image
- - name: Enable KVM group perms
- run: |
- echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules
- sudo udevadm control --reload-rules
- sudo udevadm trigger --name-match=kvm
-
- # Login to AWS
- - name: AWS Assume Role
- uses: aws-actions/configure-aws-credentials@v1.6.1
- with:
- role-to-assume: ${{ env.AWS_ROLE_ARN }}
- aws-region: ${{ env.AWS_REGION }}
-
- # Install Nix
- - name: Install Nix
- uses: cachix/install-nix-action@v17
- with:
- extra_nix_config: |
- substituters = s3://insert-cache-bucket https://cache.nixos.org/
- trusted-public-keys = insert-cache-bucket:M6PsZjHXcLvbQyPUBLICKEYGVoNwI84g1FBQzouRU= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
-
- # Build the image
- - name: Build Image
- run: nix build .#aws
-
- # Copy the image to S3
- - name: Upload Image to Cache
- env:
- NIX_CACHE_PRIVATE_KEY: ${{ secrets.NIX_CACHE_PRIVATE_KEY }}
- run: |
- echo "$NIX_CACHE_PRIVATE_KEY" > cache.key
- nix store sign --key-file cache.key $(readlink result)
- nix copy --to s3://t2-aws-nixos-test $(readlink result)
- rm cache.key
-
- # Exports all GitHub Secrets as environment variables prefixed by
- # "TF_VAR_", which exposes them to Terraform. The name of each GitHub
- # Secret must match its Terraform variable name exactly.
- - name: Export Secrets to Terraform Variables
- env:
- ALL_SECRETS: ${{ toJson(secrets) }}
- run: |
- echo "$ALL_SECRETS" \
- | jq "to_entries | .[] | \"TF_VAR_\" + ( .key | ascii_downcase ) + \"=\" + .value" \
- | tr -d \" >> $GITHUB_ENV
-
- # Installs the Terraform binary and some other accessory functions.
- - name: Setup Terraform
- uses: hashicorp/setup-terraform@v2
- with:
- terraform_version: ${{ env.TERRAFORM_VERSION }}
-
- # Checks whether Terraform is formatted properly. If this fails, you
- # should install the pre-commit hook.
- - name: Check Formatting
- run: |
- terraform fmt -no-color -check -diff -recursive
-
- # Downloads a Terraform code lint test.
- - uses: terraform-linters/setup-tflint@v1
- name: Setup TFLint
- with:
- tflint_version: v${{ env.TFLINT_VERSION }}
-
- # Sets up linting with this codebase.
- - name: Init TFLint
- working-directory: ${{ env.TERRAFORM_DIRECTORY }}
- run: tflint --init
-
- # Lints the current code.
- - name: Run TFLint
- working-directory: ${{ env.TERRAFORM_DIRECTORY }}
- run: |
- tflint -f compact
- find ./modules/* -type d -maxdepth 0 | xargs -I __ tflint -f compact --disable-rule=terraform_required_providers --disable-rule=terraform_required_version __
-
- # Connects to remote state backend and download providers.
- - name: Terraform Init
- working-directory: ${{ env.TERRAFORM_DIRECTORY }}
- run: |
- terraform init \
- -backend-config="role_arn=${{ env.AWS_STATE_ROLE_ARN }}" \
- -backend-config="region=us-east-1" \
- -backend-config="workspace_key_prefix=accounts/${{ env.AWS_ACCOUNT_NUMBER }}/${{ github.repository }}" \
- -backend-config="key=state.tfstate" \
- -backend-config="dynamodb_table=global-tf-state-lock"
-
- # Set the Terraform Workspace to the current branch name.
- - name: Set Terraform Workspace
- working-directory: ${{ env.TERRAFORM_DIRECTORY }}
- shell: bash
- run: |
- export WORKSPACE=${{ github.base_ref || github.ref_name }}
- terraform workspace select ${WORKSPACE} || terraform workspace new $WORKSPACE
- echo "TF_WORKSPACE=$(echo ${WORKSPACE} | sed 's/\//_/g')" >> $GITHUB_ENV
-
- # Checks differences between current code and infrastructure state.
- - name: Terraform Plan
- id: plan
- working-directory: ${{ env.TERRAFORM_DIRECTORY }}
- run: |
- terraform plan \
- -input=false \
- -no-color \
- -out=tfplan \
- -parallelism=${TERRAFORM_PARALLELISM} \
- -var-file=variables-${TF_WORKSPACE}.tfvars
-
- # Gets the results of the plan for pull requests.
- - name: Terraform Show Plan
- id: show
- working-directory: ${{ env.TERRAFORM_DIRECTORY }}
- run: terraform show -no-color tfplan
-
- # Adds the results of the plan to the pull request.
- - name: Comment Plan
- uses: actions/github-script@v6
- if: github.event_name == 'pull_request'
- env:
- STDOUT: "```terraform\n${{ steps.show.outputs.stdout }}```"
- with:
- github-token: ${{ secrets.GITHUB_TOKEN }}
- script: |
- // 1. Retrieve existing bot comments for the PR
- const { data: comments } = await github.rest.issues.listComments({
- owner: context.repo.owner,
- repo: context.repo.repo,
- issue_number: context.issue.number,
- })
- const botComment = comments.find(comment => {
- return comment.user.type === 'Bot' && comment.body.includes('Terraform Format and Style')
- })
-
- // 2. Prepare format of the comment
- const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
- #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
- #### Terraform Validation 🤖\`${{ steps.validate.outcome }}\`
- Validation Output
-
- \`\`\`\n
- ${{ steps.validate.outputs.stdout }}
- \`\`\`
-
- Show Plan
-
- \`\`\`\n
- ${process.env.PLAN}
- \`\`\`
-
-